[BUG] Privileges are incorrectly evaluated in case of shrink, clone and split index operations #2141

kt-eliatra · 2022-10-05T11:12:54Z

What is the bug?
A forbidden response is returned for shrink, clone and split operations even when user has all required permissions to the source index.
In addition, it seems that permissions to create the target index are not verified at all.

How can one reproduce the bug?
Steps to reproduce the behavior:

Define user, role, and role mapping, e.g.:

internal_users.yml
    test-user:
      hash: ...
roles.yml
    test-user-role:
      index_permissions:
        - index_patterns:
            - 'source-index'
          allowed_actions:
            - 'indices:admin/resize'
            - 'indices:monitor/stats'
roles_mapping.yml
    test-user-role:
      reserved: false
      users:
      - "test-user"

Upload configuration
Create source index, e.g.:

curl --location --request PUT 'https://localhost:9200/source-index' \
--header 'Authorization: Basic ...' \
--header 'Content-Type: application/json' \
--data-raw '{
  "settings": {
    "index": {
      "blocks.write": true
    }
  }
}'

Try to execute shrink/split/clone operation as the user created in previous step, e.g.:

curl --location --request PUT 'https://localhost:9200/source-index/_clone/target-index' \
--header 'Authorization: Basic ...'

Response status code is equal to 403, body says that no permissions for [indices:admin/resize] and User ....
Update role setup & upload configuration, e.g.

roles.yml
    test-user-role:
      index_permissions:
        - index_patterns:
            - '*'
          allowed_actions:
            - 'indices:admin/resize'
        - index_patterns:
            - 'source-index'
          allowed_actions:
            - 'indices:monitor/stats'

Try to execute shrink/split/clone operation as the user created in previous step, e.g.:

curl --location --request PUT 'https://localhost:9200/source-index/_clone/target-index' \
--header 'Authorization: Basic ...'

Response status code is equal to 200, target index exists

What is the expected behavior?
It should be possible to grant the 'indices:admin/resize' permission to selected index/indices.
It should be verified whether the user has the right to create the target index or not.

What is your host/environment?

OS: Linux Mint
Version: 20.3
Plugins: Security Plugin 2.3.0.0

Do you have any screenshots?
If applicable, add screenshots to help explain your problem.

Do you have any additional context?
The problem was noticed during writing integration tests for index operations.

The text was updated successfully, but these errors were encountered:

vinayak15 · 2022-10-10T19:29:00Z

[Triaged] @cliu123 Can you please help to look into this issue ?

cliu123 · 2022-10-17T19:27:14Z

@kt-eliatra test-user-role grants permissions to source-index index, but the request in step #4 is against target-index index. Would you please check if there are any things misconfigured?

kt-eliatra · 2022-10-20T08:44:43Z

@kt-eliatra test-user-role grants permissions to source-index index, but the request in step #4 is against target-index index. Would you please check if there are any things misconfigured?

403 is returned even if the role is configured like this:

test-user-role:
  index_permissions:
    - index_patterns:
        - 'source-index'
      allowed_actions:
        - 'indices:admin/resize'
        - 'indices:monitor/stats'
    - index_patterns:
        - 'target-index'
      allowed_actions:
        - '*'

MaciejMierzwa · 2023-10-13T10:07:42Z

Hi @derek-ho are you still looking into it? Could I take over?

MaciejMierzwa · 2023-11-15T11:11:55Z

Here's PR: #3716
Note: there are some ci fails, but those are not connected to the fix I made. It's some problems with port allocation during test execution and other similar things

### Description Bug fix. Shrink, or resize operations weren't properly evaluated. More in the task: #2141 ### Issues Resolved #2141 Is this a backport? If so, please add backport PR # and/or commits # ### Testing [Please provide details of testing done: unit testing, integration testing and manual testing] ### Check List - [x] New functionality includes testing - [x] New functionality has been documented - [x] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Maciej Mierzwa <[email protected]> (cherry picked from commit 3c01fde) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

### Description test PR ### Issues Resolved - #3426 - #2141 - #2169 Similar to this task: #1917 From what I've noticed some logs are duplicated on faster machines. During test creation audit logging results were added based on actual results produced by tests. Now if there are slower moments where logging produces non-duplicated logs, those were marked as failed. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Maciej Mierzwa <[email protected]> Signed-off-by: MaciejMierzwa <[email protected]>

Search operation test flakiness fix - opensearch-project#3426 - opensearch-project#2141 - opensearch-project#2169 Similar to this task: opensearch-project#1917 From what I've noticed some logs are duplicated on faster machines. During test creation audit logging results were added based on actual results produced by tests. Now if there are slower moments where logging produces non-duplicated logs, those were marked as failed. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Maciej Mierzwa <[email protected]> Signed-off-by: MaciejMierzwa <[email protected]> (cherry picked from commit 9da4a78)

Search operation test flakiness fix - opensearch-project#3426 - opensearch-project#2141 - opensearch-project#2169 Similar to this task: opensearch-project#1917 From what I've noticed some logs are duplicated on faster machines. During test creation audit logging results were added based on actual results produced by tests. Now if there are slower moments where logging produces non-duplicated logs, those were marked as failed. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Maciej Mierzwa <[email protected]> Signed-off-by: MaciejMierzwa <[email protected]> (cherry picked from commit 9da4a78) Signed-off-by: Maciej Mierzwa <[email protected]>

### Description Bug fix. Shrink, or resize operations weren't properly evaluated. More in the task: opensearch-project#2141 ### Issues Resolved opensearch-project#2141 Is this a backport? If so, please add backport PR # and/or commits # ### Testing [Please provide details of testing done: unit testing, integration testing and manual testing] ### Check List - [x] New functionality includes testing - [x] New functionality has been documented - [x] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Maciej Mierzwa <[email protected]> Signed-off-by: Prabhas Kurapati <[email protected]>

### Description test PR ### Issues Resolved - opensearch-project#3426 - opensearch-project#2141 - opensearch-project#2169 Similar to this task: opensearch-project#1917 From what I've noticed some logs are duplicated on faster machines. During test creation audit logging results were added based on actual results produced by tests. Now if there are slower moments where logging produces non-duplicated logs, those were marked as failed. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Maciej Mierzwa <[email protected]> Signed-off-by: MaciejMierzwa <[email protected]> Signed-off-by: Prabhas Kurapati <[email protected]>

### Description test PR ### Issues Resolved - opensearch-project#3426 - opensearch-project#2141 - opensearch-project#2169 Similar to this task: opensearch-project#1917 From what I've noticed some logs are duplicated on faster machines. During test creation audit logging results were added based on actual results produced by tests. Now if there are slower moments where logging produces non-duplicated logs, those were marked as failed. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Maciej Mierzwa <[email protected]> Signed-off-by: MaciejMierzwa <[email protected]>

kt-eliatra added bug Something isn't working untriaged Require the attention of the repository maintainers and may need to be prioritized labels Oct 5, 2022

davidlago added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Oct 10, 2022

derek-ho self-assigned this Aug 29, 2023

MaciejMierzwa mentioned this issue Oct 13, 2023

[Test] SearchOperationTest is flaky #3426

Closed

4 tasks

davidlago assigned MaciejMierzwa and unassigned derek-ho Oct 24, 2023

MaciejMierzwa mentioned this issue Oct 26, 2023

Search operation test flakiness fix #3602

Merged

MaciejMierzwa mentioned this issue Nov 14, 2023

Shrink operation privileges evaluation #3716

Merged

3 tasks

cwperks closed this as completed in 3c01fde Nov 22, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BUG] Privileges are incorrectly evaluated in case of shrink, clone and split index operations #2141

[BUG] Privileges are incorrectly evaluated in case of shrink, clone and split index operations #2141

kt-eliatra commented Oct 5, 2022

vinayak15 commented Oct 10, 2022

cliu123 commented Oct 17, 2022

kt-eliatra commented Oct 20, 2022

MaciejMierzwa commented Oct 13, 2023

MaciejMierzwa commented Nov 15, 2023

[BUG] Privileges are incorrectly evaluated in case of shrink, clone and split index operations #2141

[BUG] Privileges are incorrectly evaluated in case of shrink, clone and split index operations #2141

Comments

kt-eliatra commented Oct 5, 2022

vinayak15 commented Oct 10, 2022

cliu123 commented Oct 17, 2022

kt-eliatra commented Oct 20, 2022

MaciejMierzwa commented Oct 13, 2023

MaciejMierzwa commented Nov 15, 2023